Enterprise Agent Inventory Maturity in 2026: Cloud, Code, and SaaS Signals
Executive Summary
Black Aether interviewed platform, security, and product leaders at 38 organizations between March and May 2026—most had completed or started a spring secrets and OAuth review. The differentiator for teams moving agents to production safely was not model choice; it was whether they could produce a cross-surface inventory (cloud, code, SaaS) with owners in under ten business days.
Key Findings
Level 0 (reactive): no unified list; discovery begins only after an advisory or audit request—median time to first credible inventory: 4–6 weeks.
Level 1 (siloed): separate spreadsheets for SaaS apps, cloud resources, and repos; owners disagree on counts—common in organizations past first agent pilot.
Level 2 (joined): single catalog with environment tags and data-class labels; security and platform share a weekly diff—teams at this level reported 40% faster revocation decisions in tabletop exercises.
Level 3 (instrumented): automated signals from repos, cloud APIs, and identity providers feed the catalog; policy hooks (approval, logging) attach to entries—not widespread, but present in regulated industries and high-traffic consumer platforms.
SaaS remains the weakest signal: only 24% of respondents could list all AI-adjacent OAuth grants with business owners without manual interviews.
Code scanning without owner context creates false confidence: teams that only grep for SDK imports miss low-code automations and MCP bridges installed on individual machines.
Methodology
Structured interviews with directors and principals in platform engineering, application security, and AI product roles. Organizations ranged from 400 to 12,000 employees, predominantly North America and Europe, with hybrid cloud and heavy SaaS adoption.
Cloud signals that matter
Leaders weighted IAM attachments, scheduled jobs invoking models, and managed workflow products above raw token spend. Spend alone did not reveal agents with infrastructure side effects.
Code signals that matter
Version-controlled agent definitions, CI workflows calling models, and internal admin tools with tool-calling ranked highest for risk scoring. Ad-hoc notebooks and local MCP servers were cited as the fastest-growing blind spot.
SaaS signals that matter
Mail, calendar, drive, CRM, and support integrations dominated concern lists—aligned with spring incident narratives emphasizing workspace compromise paths rather than model jailbreaks.
Recommendations
Run a two-week May discovery sprint with shared output format across the three surfaces. Assign business owners before debating tool bans. Pair inventory with one measurable control improvement—logging, approval gates, or scope reduction—so the exercise is not documentation for its own sake.
Conclusion
Agent governance in 2026 is an inventory problem wearing a policy costume. Teams that can discover agents across cloud, code, and SaaS—and keep that catalog current—report calmer security reviews and faster product iteration. Teams that cannot are one integration away from repeating April’s lessons with a different vendor name.
Frequently asked questions
- What is agent inventory maturity Level 2?
- A single catalog with environment tags and data-class labels, maintained by platform and security with a weekly diff—owners agree on counts across cloud, code, and SaaS surfaces.
- What is the most common gap in enterprise agent inventories?
- SaaS OAuth grants for AI-adjacent tools: only about one quarter of surveyed teams could list all such grants with business owners without manual interviews.
- Does scanning code repos alone satisfy agent discovery?
- No. Repo scans miss low-code automations, personal MCP bridges, and SaaS connectors; mature programs combine automated signals with owner reconciliation.
Ready to Apply These Insights?
Let's discuss how these research findings apply to your organization and explore strategies to implement these insights.
A strategic AI and digital transformation consulting firm helping enterprises modernize, build resilience, and accelerate AI adoption through AI transformation, software engineering, cloud engineering, and product management expertise.
Capabilities
© 2026 Black Aether LLC. All rights reserved.